Add option to disable warning on user uploaded attachments

kernchen-brc · kernchen-brc · commit 853cdd7ee17c · 2026-04-24T10:31:05.000+02:00
diff --git a/src/Controller/AttachmentFileController.php b/src/Controller/AttachmentFileController.php
@@ -65,6 +65,7 @@ public function htmlSandbox(Attachment $attachment, AttachmentsSettings $attachm
         $response = $this->render('attachments/html_sandbox.html.twig', [
             'attachment' => $attachment,
             'content' => $attachmentContent,
+            'show_warning' => $attachmentsSettings->showHTMLAttachmentWarning,
         ]);
 
         //Set an CSP that allows to run inline scripts, styles and images from external ressources, but does not allow any connections or others.
diff --git a/src/Settings/SystemSettings/AttachmentsSettings.php b/src/Settings/SystemSettings/AttachmentsSettings.php
@@ -65,4 +65,11 @@ class AttachmentsSettings
         envVar: "bool:ATTACHMENT_SHOW_HTML_FILES", envVarMode: EnvVarMode::OVERWRITE
     )]
     public bool $showHTMLAttachments = false;
+
+    #[SettingsParameter(
+        label: new TM("settings.system.attachments.showHTMLAttachmentWarning"),
+        description: new TM("settings.system.attachments.showHTMLAttachmentWarning.help"),
+        envVar: "bool:ATTACHMENT_SHOW_HTML_WARNING", envVarMode: EnvVarMode::OVERWRITE
+    )]
+    public bool $showHTMLAttachmentWarning = true;
 }
diff --git a/templates/attachments/html_sandbox.html.twig b/templates/attachments/html_sandbox.html.twig
@@ -50,6 +50,7 @@
 
     <div class="wrapper">
 
+        {% if show_warning %}
         <header>
             <header class="warning-bar">
                 <b>⚠️ {% trans%}attachment.sandbox.warning{% endtrans %}</b>
@@ -62,6 +63,7 @@
                 </small>
             </header>
         </header>
+        {% endif %}
 
         <iframe  referrerpolicy="no-referrer" class="content-frame"
                  {# When changing this sandbox, also change the sandbox CSP in the controller #}
diff --git a/translations/messages.en.xlf b/translations/messages.en.xlf
@@ -13001,6 +13001,18 @@ Buerklin-API Authentication server:
         <target>WARNING: You are viewing an user uploaded attachment. This is untrusted content. Proceed with care.</target>
       </segment>
     </unit>
+    <unit id="Ax9Tml2" name="settings.system.attachments.showHTMLAttachmentWarning">
+      <segment state="translated">
+        <source>settings.system.attachments.showHTMLAttachmentWarning</source>
+        <target>Show warning when opening user uploaded attachments</target>
+      </segment>
+    </unit>
+    <unit id="Bx3Nkp8" name="settings.system.attachments.showHTMLAttachmentWarning.help">
+      <segment state="translated">
+        <source>settings.system.attachments.showHTMLAttachmentWarning.help</source>
+        <target>When enabled, a warning banner is shown when viewing user uploaded HTML attachments in the sandbox, reminding the user that the content is untrusted.</target>
+      </segment>
+    </unit>
     <unit id="bRcdnJK" name="attachment.sandbox.back_to_partdb">
       <segment state="translated">
         <source>attachment.sandbox.back_to_partdb</source>
